New cyber norms to protect cyberspace

In the past two years, the industry has been proposing new cyber norms to protect cyberspace. The industry is increasingly stepping into a norm-developing role, which was previously mainly the ambit of governments. In this space, you can follow the developments on main proposals: Microsoft's proposed Digital Geneva Convention, Cybersecurity Tech Accord, Charter of Trust for a Secure Digital World, and Google's proposed legal framework for digital security and due process.

27-28 September 2017: The Consulate General of Switzerland in San Francisco and swissnex San Francisco, together with US, Swiss, and international partners, organised Crisis Code: Humanitarian Protection in the Digital Age conference, at swissnex San Francisco. The aim of the conference was to collectively examine international humanitarian and human rights laws, standards, and norms in light of new cyber-realities.

Microsoft's proposal for a Digital Geneva Convention

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

What is the main aim of a Geneva Digital Convention?

The Geneva Digital Convention, proposed by Brad Smith, Microsoft’s President and Chief Legal Officer, aims at creating binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. Embedded within a convention, these and few other additional norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.

What should a Geneva Digital Convention regulate?

Image credit: Microsoft

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.

If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

Cybersecurity Tech Accord

In April 2018, 34 tech companies - including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have agreed on the Cybersecurity Tech Accord, publicly committing to protect and empower all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states, and to improve the security, stability and resilience of cyberspace.

The four principles to which the companies committed, could be summarised as:

Stronger defence: protecting all of their users and customers everywhere, including through developing products and services that prioritize security, privacy, integrity and reliability;

No offense: opposing cyberattacks on innocent citizens and enterprises from anywhere, through protecting against tampering with and exploiting possible vulnerabilities in products and services, and not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere;

Collective action: partnering with each other and with like-minded groups to enhance cybersecurity, to improve technical cooperation, coordinated vulnerability disclosure, and threat and information sharing, minimize the levels of malicious code being introduced into cyberspace, and civilian efforts to respond to and recover from cyberattacks.

Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.

As of June 2018, 45 companies have signed the Accord. Out of the “big five” companies, Microsoft and Facebook have signed it, while Apple, Amazon and Google have not. Signatories of the “Charter of Trust” have not yet signed the Accord. The list of signatories is available at the bottom of the homepage of the Cybersecurity Tech Accord.

Charter of Trust for a Secure Digital World

In February 2018, several lead global technology companies - Siemens, IBM, Deutsche Telecom, Airbus and others - have presented their joint Charter of Trust for a Secure Digital World calling for shared ownership of cyber and IT security by various stakeholders, responsibility throughout the supply chain, security by default, education, certification for critical infrastructure and solution, transparency and response, regulatory framework, and joint initiatives.

The 10 principles of the Charter could be summarised as:

Ownership of cyber and IT security: Responsibility anchored to the highest governmental and business levels - designated specific ministries and CISO.

Responsibility throughout the digital supply chain: Risk-based rules, baseline standards (including identity and access management, encryption, and continuous protection) and protection across all IoT layers in place in companies, and governments if necessary.

Security by default: Highest level of security and data protection in-built into the design of products, functionalities, processes, technologies, operations, architectures, and business models.

User-centricity: Products, systems, and services as well as guidance provided based on the user’s cybersecurity needs, impacts, and risks.

Innovation and co-creation: Driving and encouraging contractual public-private partnerships to deepen understanding and adapt security practices to new threats.

Education: Cybersecurity courses in schools, at universities, within professional education and trainings, introduced to enable transformation of skills and job profiles of the future.

Certification for critical infrastructure and solutions: Mandatory independent third-party certification for critical infrastructure and critical IoT solutions established within companies, and governments if necessary.

Regulatory framework: Multilateral collaboration promoted in regulation and standardisation in line with work of the World Trade Organisation, and cybersecurity rules included into Free Trade Agreements.

Joint initiatives: Collaboration through joint initiatives, and with other stakeholders.

The nine signatories are listed in the Charter document.

Google's proposal legal framework for digital security and due process

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.

Explore the issues

Cybersecurity

Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss. Read more about Cybersecurity

Cyberconflict

Cyber-attacks can have a background in international relations, or bring about the consequences that can escalate to a political and diplomatic level. An increasing number of states appear to be developing their own cyber-tools for the defense, offence and intelligence related to cyberconflict.
The use of cyber-weapons by states - and, more generally, the behavior of states in cyberspace in relation to maintaining international peace and security - is moving to the top of the international agenda. Read more about Cyberconflict

Global public goods

The concept of global public goods can be linked to many aspects of Internet governance. The most direct connections are found in areas of access to the Internet infrastructure, protection of knowledge developed through Internet interaction, protection of public technical standards, and access to online education. Read more about Global public goods

GIP Digital Watch

Submit Content

The GIP Digital Watch observatory reflects on a wide variety of themes and actors involved in global digital policy and Internet governance. We welcome information and documents from your organisations. Submitted content will be reviewed and published by our team of knowledge curators.
You can submit your content at digitalwatch@diplomacy.edu